FEDTECH: Why do nation-state affiliated attackers seem to get more attention than other cybercriminals?
Payton: The nation-states focus on the government-industrial complex. We know the most about the nation-states because that element has been going on for so long. A lot of the cybercriminal syndicates operate like fraud rings, and we’re very good at busting up fraud rings. But the cybercrime element is probably the youngest part of what we’re looking at. Attribution is a little harder; many cybercriminal syndicates are loose collectives, so they’re hard to identify.
The other challenge is cyber incident fatigue; every week there’s something. Everybody’s overwhelmed with life, and this is just one more thing.
EXPLORE: How does role-based access management enable zero trust?
FEDTECH: Should any enterprise that has been attacked be required to report it?
Payton: Candidly, I have mixed emotions on this. On the one hand, I would love for every victim of a cybercrime, whether it’s a business or individual, to report it. From a greater-good perspective, it could help. But I have really mixed emotions because of our lack of remedies for individuals and organizations once you are a victim of a crime.
FEDTECH: How valuable would it be for government agencies such as CISA to have the authority to hunt down cybercriminals?
Payton: For CISA, you have to work out the legality of it. Most critical infrastructure is owned by the private sector, so what is your jurisdiction? Second, attribution is very hard. If you’re taking action against the perpetrator, but they’re actually hiding on an unsuspecting victim’s infrastructure, are you taking action against an innocent bystander who doesn’t even know they’re being used? There’s a lot of really interesting, innovative thinking there, but the practicality of executing has challenges.